Securing Ethernet-based industrial networks - 1

Highly public lapses in the guarding of industrial networks have led to a new awareness. Security is an
essential element of network design and management in today's industrial enterprise. Guidelines produced by
the ODVA, and abridged here in two parts by James Hunt, introduce the concept of cyber-security for
Industrial Ethernet. They provide direction regarding important considerations for cyber security.

CONNECTIVITY to all enterprise processes has
increased productivity while reducing the time
to market for new offers, but this has resulted
in a new path for both esirable and undesirable
connections.

The cost of implementing security should be seen against loss of assets: product, plant, production, intellectual
property, injury, and/or damage to personnel, products, tools,machines, the environment and company reputation

Many of today's industrial networks and application
layers use standard Ethernet with Internet
Protocol to connect to the enterprise network
and, in turn, the Internet. The benefits include
increased visibility of plant floor activities, integration
with back-office applications, and lower
total cost of ownership. However, this affects
the security and availability of the industrial
network, as well as the automation and control
systems they interconnect.

Security should be applied to loss of assets
(including product, plant, production, or intellectual
property), injury, and/or damage to
personnel, products, tools, machines, the environment
or company reputation. There is no
'one-size-fits-all' solution to improving
security; it requires changing processes and
managing risk.

The right approach

The first step in determining a security strategy
for an industrial network running EtherNet/IP
or similar appliction protocol entails identifying
potential risks. Such concepts are expounded
upon in ISA99's Security for Industrial
Automation and Control Systems: Establishing
an Industrial Automation and Control Systems
Security Program documents. An earlier
document from ISA99 is also useful: Security for
Industrial Automation and Control Systems Part
1: Terminology, Concepts, and Models.

The risk for any particular device/system is
the expectation of loss expressed as the probability
that a particular threat will exploit a
particular vulnerability with a particular consequence1.

While security incidents in the IT environment
can result in the loss or corruption of
information, in industry, cyber security
incidents can physically affect production or
the health, safety, or environment of the organisation
and the surrounding community. For
each risk, these questions should be asked:

• What are the consequences?

• What is the likelihood of the risk occurring?

• Cost of prevention vs the cost of the impact?

Reducing risk

There are various general ways to reduce risk.
The first is to use a Defence-in-Depth approach.
There is no single device or method that will
secure a network, so it is necessary to build a
system that works together with many layers
of protection. Defence-in-Depth applies to both
the network's physical and electronic security.
To physically secure the network, access to the
network devices should be controlled. There are
very few factory floor personnel who need
access to all industrial pplications, so limit
access as far as possible.

To electronically secure the network, multiple
barriers or virtual walls should be installed
around and within it. This makes an attack
more difficult and limits spread should one
occur. Then institute a process which ensures
that all devices have the most recent security
patches and anti-virus updates.

A third way is to minimise time to recovery.
Regardless how many methods are used to
prevent attack, users should be prepared to
handle such an incident. They should have
copies of system configurations, plant
diagrams, etc., stored in a secure location for
disaster recovery.

Costs and tradeoffs

There are significant benefits to connecting
automation and control networks with
enterprise networks, but there are tradeoffs
between risks and costs. Security is about
minimising the risks and threats while taking
maximum advantage of the benefits. For
example, in connecting the plant to the
enterprise, certain types of traffic flows and
applications to communicate may be allowed,
but others with greater risk need to be
restricted.

EtherNet/IP, like most industrial protocols,
uses unencrypted messaging. The encrypting
and decrypting of messages would significantly
increase both the cost and processing delays
in the end devices. In addition, most
automation and control networks are protected
through network isolation (air-gaps) or through
numerous security techniques (Defence-in-
Depth). For example, one method of increasing
availability is to limit the traffic flow to the
automation and control network. Limiting the
flow to trusted devices on the plant floor significantly
reduces risk.

Confidentiality, authentication, and integrity
are normal parts of any secure communications over the Internet, but there are fairly large and
expensive communication devices at work in
the process (including encryption). Requiring
devices to perform these encryption activities
would either drastically slow down communication
rates, slow down the ability to perform
control functions, or need very expensive CPUs
to be installed in these devices. Delays through
encryption, decryption and increased CPU
processing overhead simply cannot be tolerated
in most automation and control systems.

IT vs industrial requirements

The IT and industrial departments employ
different methods to achieve their goals
because of differing requirements. IT networks,
outside of data centres and servers, have
relatively low requirements for determinism and
availability. A user can wait many seconds for
a web page to load or wait hours for a problem
to be fixed. Industrial networks, however, have
much stricter requirements for determinism and
availability.

Many industrial processes require message
timings on the order of tens of milliseconds
and 99.999% availability. Determinism and
availability requirements for both groups may
become more stringent as the IT department
adds voice and video traffic on their network,
and as multi-axis motion control and safety
is added to industrial networks.

IT departments achieve goals by providing
many security layers. One such layer is the
firewall that separates the entire enterprise
network from the Internet and other networks.
This inspects all incoming and outgoing
packets, and drop any potentially harmful
packets. Within the enterprise network, another
layer of security is provided by placing limitations
on who can access a set of data. Yet
another layer is provided by requiring all
network servers and PCs to have the latest
antivirus and OS patches.

Security - working with IT

If an OS patch is applied to an automation
network the moment it becomes available, the
machine is forced to reload - this is clearly
unworkable for automation systems. Instead,
the automation department should work with
the IT department to explain the automation requirements - often, these will match the
same requirements for data centre systems,
where patches are applied during scheduled
downtime - the same thinking can be applied
to automation systems.

Controlled loss: The risk for any particular device/system
is the expectation of loss expressed as the probability that
a particular threat will exploit a particular vulnerability
with a particular consequence

It is also important for automation departments
to explain traffic patterns to other departments.
Usually, devices that communicate via
EtherNet/IP do not access or send information
with devices outside the company, so the risk of
a virus infiltrating the enterprise network from
an EtherNet/IP device is very low.

Also, based on traffic patterns, network filters
and firewalls can be configured to prevent
security problems on the enterprise network from
affecting devices on the industrial network and
vice versa.

Best practices

The following breaks down best practices by
the types of industrial network installations.
These represent the level of interconnectivity
between the industrial and enterprise networks.
The security approach should align with the
size and connectivity of the network. Moreover,
extensions and implementations may develop
and migrate with time, so the security considerations
for the industrial network would
parallel such developments.

Integrating the industrial network with the enterprise
network: a risk factor behind a potential security incident

The best practices outlined with each type of
network are, therefore, additive - the security
best practices for an isolated control network
with a single controller would also apply to an
isolated control network having many
controllers.

For an isolated control network having a
single controller, this is the smallest and least
complex (Fig. 1). These may be in small,
single-operator shops, or there could be a large
number of isolated work cells within an organisation.
While they only have a single
controller, they may have a large number of
adapters and I/O points that require many
switches.

Fig. 1: An isolated control network with single
controller. Such networks may only have a single
controller, but can have a large number of adapters and
I/O points that require many switches.

Because these systems are considered small
and isolated from the enterprise network, the
risks are limited. An attacker would have to be
in direct contact with the network to affect its
operation. The main threat is from infected
computer resources (laptops, USB sticks and
other media attached via a computer on the
network). Users should scan all devices prior
to connecting them, or have a company-owned
secure laptop available for users that need to
connect for maintenance or debugging. Even
systems not having a virus can affect availability
if, for example, they are configured to
act as a DHCP server or have incorrectly
configured network settings.

Another possible threat includes the destruction
or manipulation of the controller code
(unintentional or intentional). Since these
systems usually don't have many operators,
there may not be any tracking of changes made
to the controller or other network devices. The
consequences usually result in the lack of availability
of the controller or other resource. An
incident may have health, safety, or environmental
effects, but will typically be limited
to the area around the industrial network.
Configurations should be backed up and stored
in a secure location.

Managed switches

While not required for performance reasons in
an isolated control network, managed switches
can improve network security. They can be
configured to limit the traffic rate on a perport
basis, using known traffic patterns, via
port-based security (e.g., MAC or IP port
security). The switch's management features
(e.g., QoS, IGMP) can also improve network
security. The effect of a network storm resulting
from a virus or damaged equipment can be
minimised this way. Users should be careful to
configure traffic filters so that normal traffic
isn't blocked. Switch ports not regularly used
should be disabled to prevent accidental
connection to the industrial network.

Device maintenance

It is fairly common for larger users to have
maintenance contracts on some devices that
require a technician to monitor and perform
regular maintenance on a device, either locally
or via secure remote access. If maintenance
is being conducted locally, a strict policy must
be enforced on access to the industrial and
enterprise networks. Individuals should not be
allowed to connect unknown devices without
first being checked for current anti-virus
updates, software patches or compatibility with
the network and applications.

If the maintenance needs to be conducted
remotely (dial-up phone line, cellular router,
VPN, Internet, etc.), then the network is
considered to be enterprise connected and an
integrated system, and should be treated as
such. A security policy and procedure must be
enforced, dictating the authorised users and
activity for this connection. The remote
connection should use a network segmentation
device and should be monitored for any activity
outside the recognised security policy.

If the device has a web interface or SNMP,
it is recommended that the default password
be changed. Also, avoid posting the password
in a public or non-secure location. Disable
unnecessary ports and services.

End-device security

Devices in the industrial network running a
common OS allow introduction of malware, such
as a virus, worm, Trojan horse or other common
end-device attack, which usually target the
common OS. Anti-virus software and regular
patching are all common mechanisms to reduce
the potential of an attack or downtime
resulting from one of these.

An end-device in an industrial network may
not be able to be patched as easily or regularly
as, for example, an enterprise computer, but
a regular maintenance schedule should bedeveloped and kept. Many embedded systems,
such as the PLC/PAC or EtherNet/IP remote I/O,
do not use these operating systems. Such
systems are less complex and do not support
as many networking features as an office PC,
so need fewer security updates.

Since many EtherNet/IP devices use non-IT
hardware and operating systems, the number of
viruses, worms, Trojan horses, etc., has remained
minimal. However, industrial automation and
control systems may be affected by standard
DoS attacks on the network, or EtherNet/IP PCbased
devices could be affected through
standard email, webpage, and file exchange
attack methods.

End devices having common operating
systems, such as a Windows-based machine,
should have security applied for protection
such as virus software and should be upgraded
and maintained on a regularly scheduled basis.
In addition, the use of browser and other
Internet applications has been a significant
source of security breaches and attacks.
Consider limiting Internet access or network
accessibility of end-devices in the production
environment.

Network management

This plays a key role in any automation and
control security approach. Monitoring network
and application services is key to recognising
and reacting to attacks or breaches. For
example, attacks based on sending malformed
packets allow an attacker to either disrupt or
take over commercial or industrial devices.
Malformed packet attacks are possible because
of incomplete or non-robust implementations
of the existing TCP/IP suite and industrial
protocols. Malformed packets and other
improper communication can adversely affect
performance, or could breach a device.

Managing and monitoring of the network and
automation and control devices for CIP errors
will help identify and stop such threats, or at
least identify possible security breaches. Best
practices include setting thresholds in the end
devices and controllers to warn operations
personnel that abnormally high packet failures
or other unexpected conditions have occurred.
Similarly, monitoring and management of key
network statistics and errors can help prevent
attacks targeted at both end devices and the
network infrastructure itself.

Using encryption for access to the network
infrastructure is an IT best practice suited for
plant networks. SNMP v3, SSH and HTTPS for
accessing and managing infrastructure devices
are included among these. Encryption is also
accompanied by use of authentication and
authorisation for access to network infrastructure
(logins, passwords and access to individual
parameters). Simple actions like posting
banners on login pages to indicate the type of
switch being accessed can help limit errors or
unintentional mistakes.

Many controllers

Larger installations may need more than one controller on the industrial
network, but corporate policy may require that the industrial network
be isolated from the enterprise network (Figure 2). Networks of this
type can have a multi-layered architecture using managed switches and
VLANs to segment the larger number of devices, including local servers.
Controllers can be put into different VLANs to improve overall system
performance and availability by separating traffic between devices.

Fig. 2: An isolated control network with many controllers. Networks of this type can
have a multi-layered architecture using managed switches and VLANs to segment the
larger number of devices, including local servers.

Because of the extra complexity of such networks, it is possible for an
incident at one end of a facility to affect a device on the other end,
although VLANs help limit the effect. An attacker would still need to be
in direct contact with the network to affect plant operations but this may occur more often than in single controller networks. A larger organisation
may have contractors working alongside employees maintaining
or operating equipment. The industrial network may exist throughout
an entire facility and, in addition, may have many open and susceptible
network ports.

As with the single controller network, one of the main threats comes
in the form of infected computer resources. Another threat that is shared
between single and multiple controller systems would be the unintentional
or intentional destruction or manipulation of the controller code.
In the multiple controller case, it may be because of an attacker maliciously
attempting to affect the process, or it could come from the plant
engineer uploading a program to the wrong controller. In general, these
incidents would be very similar to the single controller case, but the
consequences would not be limited to affecting only the local area.
An incident at one location may affect the area surrounding the
controller, another area at the facility, or the entire facility. Incidents
on this type of network would not typically affect many facilities unless
a dedicated industrial network had been configured between those
facilities.

Networks having many controllers can be larger and more complex than
any one person can manage, so it is good practice to develop detailed
policies and procedures to ensure that security practices are being
followed. The industrial network should be designed to protect the
devices and controllers from inadvertent events that may disrupt normal
operations.